Chapter 1. Release highlights

With Univention Corporate Client 2.0 the first major release update of Univention Corporate
Client (UCC) is now available. It provides several improvements and bugfixes:

The underlying Ubuntu base has been updated to Kubuntu 14.04. Consequently, a great deal
of software components have been renewed: KDE 4.13, Linux kernel 3.13, Libreoffice
4.2.3, Xorg 15. All the Univention packages imported from UCS have been updated to the
version of UCS 3.2-2.

The initial configuration of Univention Corporate Client is now performed via a wizard
in the Univention Management Console. This considerably simplifies the initial setup. In addition, the UCC images
can now be administrated in their own UMC module.

Support for operating xrdp terminal services has been integrated: A KDE Linux desktop is provided via the RDP
protocol. In addition to access from UCC thin clients, this also allows access from
Windows or MacOS X computers. The RDP access is very bandwidth efficient.

For licensing reasons, it is not possible to distribute the Citrix Receiver with
UCC. The installation is now integrated in the Univention Management Console setup wizard, reducing the installation
efforts to just a few clicks.

A great number of improvements have been made to the UCC image build system, and as such
the generated images are now smaller in size, among other things.

UCC now also supports the rollout of systems in the UEFI boot standard.

The operation of UCC systems with an encrypted hard drive has been considerably
facilitated; the corresponding option can now be configured easily in the Univention Management Console.

UCC systems can now be configured to avoid PXE boots and start directly from their local
storage. This reduces the bootup time.

The configuration of UCC systems has been simplified; print servers, CIFS home shares
and proxy settings can now be centrally configured through policies.

UCC now uses NeutrinoRDP as its standard RDP client. Among other things, this offers
support for multi-monitor operation.

A whole range of bug fixes and smaller improvements have been integrated. UCC can now
also be monitored with Nagios, for example.

Chapter 2. Postprocessing of the update

UCS installations, in which the master domain controller was installed in a release older than 2.3 still
use MD5 as the hashing algorithm for the SSL certificates. Later releases use SHA1 as the
hashing algorithm. UCC clients cannot join a domain still using MD5 hashes. The necessary
steps to migrate a UCS domain from MD5 to SHA1 are documented in the Univention Support
Database (http://sdb.univention.de/1150).

Chapter 3. Notes on selected packages

3.1. User switches using su

Switching from one non-root user account to another non-root user account with the
su command doesn't work. Switching to the root account is not affected.
The underlying bug cannot be easily fixed as it would lead to invasive changes. As a
workaround it is possible to first switch to root and then switch to the user account, e.g.

3.2. Terminal services based on X11 forwarding

Terminal services based on X11 forwarding are no longer supported. The corresponding
Univention Management Console policy still exists, but is now only used by UCC 1.0 systems. This policy will be
removed in a subsequent UCC version.

3.3. RDP logins and PAM home mounts after a password change at LightDM

If the user password is changed during the login at the LightDM Login Manager (e.g.,
because the Change password on next login user option is activated or
because a password has expired), the password change is effected via Kerberos. This
Kerberos password change is not "visible" for PAM modules executed after authentication.
The RDP session script and the PAM module for mounting the home directory via CIFS,
however, access the cached password and, as a result, the login fails the first time. The
correct password is then available for the second login attempt.

Chapter 4. Changelog

Listed are the changes since UCC 1.0:

4.1. General

UCC was updated to Kubuntu 14.04. The original Kubuntu LSB values are now retained. This
fixes the compatibility with packages/services depending on specific values (Bug 32627).

Patches applied to UCC 1.0 were migrated to UCC 2.0 (if applicable) (Bug 33760).
The UCS packages imported in UCC were updated to the versions in UCS 3.2-2.
Among other improvements this allows blacklisting kernel modules using the Univention Configuration Registry variable
kernel/blacklist (Bug 30177).
The apt source for errata updates has been updated for UCC 2.0 (Bug 31150).

The boot parameter force_partition can be used to enforce
repartitioning without user confirmation (Bug 30427).

The local buffer of free space on a UCC root device (needed for handling persistent data) has been reduced to
10 MB (Bug 32311).

The new boot option partition_script for UCC clients has been added. This
option defines a script to use for partitioning instead of the partitioning
settings from the image. The script must be placed in the
/var/lib/univention-client-boot/partition-scripts
directory on all UCS UCC PXE servers
(Bug 34612).

During the update to a UCC 2.0 image the Univention Configuration Registry variable nameserver1 is automatically
set to the new default 127.0.1.1 if the previous value was the UCC 1.0 default
(Bug 34646).

4.4. Image build and image management

Several improvements and bugfixes were made to the image toolkit:

Use the same base multiplier when calculating the image size as the initramfs (Bug 30063).

Create all files in the working directory and move them to the target
directory at the end (Bug 31634). Also, handle
the targetdir option correctly (Bug 31634).

If and what packages should be set to hold can be configured the
parameter packages_hold (Bug 34489).

The build of UCC images using the UEFI boot standard is now possible: The package
ucc-image-toolkit provides
/usr/share/doc/ucc-image-toolkit/example/ucc-desktop-efi.cfg.gz as an example
configuration for UEFI partitioning (Bug 33978).

4.5. UCS domain integration

4.5.1. Domains joins of UCC clients

The SSH host keys are now recreated during domain join. They are also tracked as persistent files (Bug 30163).

rdate has been added to the dependencies of
univention-ucc-join. This ensures that the system time is synchronised
correctly (Bug 34869).

The determination of the Kerberos key version number of the UCC host account during the domain join has been fixed
(Bug 30471).

During the domain join the group and user database is now actualised before running the join scripts
(Bug 30760).

The handling of the domain join password file during automated rollouts has been fixed
(Bug 33802).

4.5.2. Univention Management Console integration

A configuration wizard for thin clients and desktop clients has been added to
facilitate the initial configuration of UCC (Bug 34360).

A UMC module to download and remove UCC images has been added (Bug 30379).

A simplified wizard for the creation of UCC computers has been added (Bug 32942). The MAC address is an required attribute now (Bug 34757). A traceback when creating UCC computer objects has
been fixed (Bug 34378).

UMC icons for UCC policy objects have been added (Bug
30366). The description of a UMC module has been fixed (Bug
32433).

An unjoin script for univention-corporate-client-schema has been added, which removes
the UCC service once the last UCC app in the domain was removed (Bug 30852).

4.5.3. PXE service

A Univention Configuration Registry module has been added to immediately apply changes of the ucc/pxe/* variables to all existing PXE
configuration files for UCC clients, e.g. setting ucc/pxe/loglevel changes the loglevel kernel parameter in all
PXE configuration files
(Bug 29904).

Obsolete code has been removed from the listener module that creates the PXE configuration
files for UCC clients (Bug 30347).

The join script 91ucc-pxe-boot.inst from ucc-pxe-boot now ensures that the default-settings
policies/dhcp_boot policy exists
(Bug 3561).

The package ucc-pxe-boot now contains the files
/var/lib/univention-client-boot/ldlinux.e32/var/lib/univention-client-boot/ldlinux.e64/var/lib/univention-client-boot/syslinux.efi32/var/lib/univention-client-boot/syslinux.efi64
which enable UEFI-PXE booting by selecting the syslinux.efi64 (or syslinux.efi32) as the "boot_filename" (UDM module "policies/dhcp_boot") (Bug 33978).

The package language-pack-gnome-* has been added for all languages that are
available by default (en, de, es, fr, nl). It adds
internatiolisation for the Power off button in the LightDM login manager. Note that this
package hasn't been added to the thin client image due to size constraints. It can be added
to custom images (Bug 31807).

The bash-completion package has been added to the desktop image (Bug 30254).

4.6.2. UCC thin client image

Kernel updates on the standard thin client image has been disabled by marking the package
linux-image-generic as hold (Bug 34489).

4.7. User logins

The monolithic Univention Configuration Registry template for /etc/pam.d/lightdm has been split
into a multifile template (Bug 31409).
The Univention Configuration Registry variable description of univention-lightdm has been improved
(Bug 30933). The obsolete Univention Configuration Registry variable
lightdm/wallpaper has been removed (Bug
30426).

The PAM module for creating the home directory during login (pam_mkhomedir) was not executed
under all circumstances, this has been fixed (Bug
34790). The default umask has been changed to 0066 (Bug
31303).

The new Univention Configuration Registry variable lightdm/autologin/user allows the configuration of the user under which
the automatic login should occur. If the variable is unset, a temporary guest user is used as
before (Bug 30617).

The univention-ucc-theme package now depends on libglib2.0-bin (Bug 30579).

A bug was fixed that deleted the LightDM PAM configuration during updates (Bug 32119).

4.8. Terminal sessions

4.8.1. Citrix XenApp

The Citrix session is now correctly running in fullscreen if the autologin is used (Bug 30358).

Implement a post session menu if XenApp is selected as the automatic session. It allows to
restart the session, switch back to LightDM or shutdown the system (Bug 32043).

A new tool (ucc-image-add-citrix-receiver) has been created which
integrates the Citrix Receiver into a UCC image; the necessary dependencies are installed
and the Receiver installed afterwards. It is part of ucc-image-toolkit.
(Bug 34452).

New Univention Configuration Registry variable citrix/accepteula: If set to true, a
configuration file is added to the user's home which accepts the EULA of Citrix Receiver.
(Bug 34452).

New Univention Configuration Registry variable citrix/pulseaudio: If set to true,
the xenapp session script starts the Pulseaudio daemon for the user
(Bug 34227).

4.8.2. RDP

The handling of the Univention Configuration Registry variable rdp/geometry has been fixed. Previously it was
always overriden by the fullscreen setting (Bug 31951).

The Univention Configuration Registry variable rdp/checktls has been renamed to
rdp/tlsencryption. The handling of the Univention Configuration Registry variable
rdp/ignorecertificate has been fixed (Bug
34874).

4.8.3. XRDP

univention-xrdp provides integration of remote UCC terminal services
based on XRDP (Bug 29893). The terminal services based on
X11 forwarding have been removed (Bug 33871).

The temporary KDE directory is now stored in .kde-cache in the user's
home directory instead of /var/tmp/kdecache-*. This prevents filling up
the /var partition on terminal servers with many users Bug 31863).

4.9. Hardware support

The udev handling for ATA CD-ROM devices has been fixed: The udev script now tries to
speed up ATA cdrom devices with the eject tool. Problems with changing CD/DVDs in a
drive were fixed (Bug 31685, Bug 31713).

The automounter directory cleanup has been improved: It now removes directories in more
cases, even if file handles are still open after a drive has been removed. (Bug 34878).

The LightDM startup script for multimonitor configuration has been fixed (Bug 30402).

Kernel modesetting has been disabled for the Cirrus driver due to a problem initializing the framebuffer
(Bug 34448).

univention-corporate-client now depends on Network Manager (before that
change it was still present, but installed indirectly (Bug 30297).

4.10. System services

The logging on UCC clients is now using the RELP protocol instead of UDP. This ensures that
logfiles are more complete (Bug 34863).

The Univention Configuration Registry template for the krb5.conf config file now also supports the
dns_lookup_kdc option (Bug 32080).

By default, univention-ucc-update-nss copies the nss user data from the UCS server only if the user is not already known.
This test can be disabled by setting the Univention Configuration Registry variable ucc/nss/update/force to true
(Bug 31864).

4.11. Client management

Two new Univention Configuration Registry variables have been added to preconfigure proxy settings for Firefox and KDE:
ucc/proxy/http configures the URL of the proxy server and
ucc/proxy/autoconfig/url the URL of the proxy PAC (Bug 31905, Bug 32580)

The new package univention-ucc-cifshome-pam-mount installs a mechanism to
automatically mount a CIFS share as home directory during user login. Server, share name and
mount options may be defined via the Univention Configuration Registry variables
ucc/mount/cifshome/server, ucc/mount/cifshome/share and
ucc/mount/cifshome/options (Bug 32057).

The new Univention Configuration Registry variable ucc/cups/server allows to configure Cups server(s) (Bug 32056, Bug 32515). After
connection timeouts to a Cups server, a reconnect is now performed (Bug 30911).

New Univention Configuration Registry variables have been added to configure the APT sources:
The content of all Univention Configuration Registry variables of the format ucc/apt/ID (whereby "ID"
can be anything) are written to the file /etc/apt/sources.list.d/ucc.list
(Bug 30748).